Understanding Cyberattack as an Instrument of U.S./National Policy - PowerPoint PPT Presentation

1 / 45
About This Presentation

Understanding Cyberattack as an Instrument of U.S./National Policy


Cyber conflict and cyber security have both defensive and offensive dimensions, ... International law and offensive cyber operations Jus ad Bellem ... – PowerPoint PPT presentation

Number of Views:1
Avg rating:3.0/5.0
Slides: 46


Transcript and Presenter's Notes

Title: Understanding Cyberattack as an Instrument of U.S./National Policy

Understanding Cyberattack as an Instrument of
U.S./National Policy
  • Herb Lin
  • Computer Science and Telecommunications Board
  • National Academies
  • 25 October 2010
  • Project supported by the MacArthur Foundation,
    Microsoft, and the National Research Council

Committee and report
  • Military
  • WILLIAM A. OWENS, co-chair (USN Retired, fmr
  • CARL G. OBERRY, The Boeing Company (USAF Ret)
  • Foreign Relations and Diplomacy
  • KENNETH W. DAM, co-chair, University of Chicago
  • SARAH SEWALL, Harvard University
  • Information technology
  • THOMAS A. BERSON, Anagram Laboratories
  • RICHARD L. GARWIN, IBM Fellow Emeritus
  • JEROME H. SALTZER, MIT, (retired)
  • MARK SEIDEN, MSB Associates
  • International and National Security Law
  • JACK L. GOLDSMITH, Harvard Law School
  • GERHARD CASPER, Stanford University

On classification
  • Study is entirely unclassified.
  • To our knowledge, first comprehensive integrated
    treatment of cyberattack from a policy
    perspective to examine technical, legal, ethical
  • Useful to know for policy makers to know what is
    knowable on an unclassified basis.

The broad context
  • Nations are increasingly dependent on information
    technology, and thus important IT functionality
    must be protected.
  • Cybersecurity measures taken to protect or
    preserve a computer system or network and the
    information it holds.
  • Defensive cybersecurity (reports, legislation,
  • Passive defenses
  • Anti-virus and intrusion detection software
  • Better password security
  • Greater attack resistance in software
  • More robust law enforcement mechanisms
  • e.g., Convention on Cybercrime
  • Offensive cybersecurity (a generally classified
  • Offensive operations can be used for defensive
  • Cyber conflict and cyber security have both
    defensive and offensive dimensions, and
    comprehensive approaches require understanding

Basic taxonomy for offensive cyber operations
  • Cyberattack action to destroy, degrade, disrupt
    adversary IT or information therein
  • Cyberexploitation action to (very quietly)
    obtain information from adversary IT
  • Technical operations
  • remote (e.g., DOS, virus, worm)
  • close-access (e.g., USB key, sofware swap during
    shipment, compromised chip in manufacturing
    supply chain)
  • Social engineering operations
  • Tricking, bribing, blackmailing, extorting
    someone to take action
  • Technical and social operations are often
  • Cyberattack and cyberexploitation are technically
    very similar, hard for adversary to distinguish.
    (Also hard for news media to distinguish.)

Key characteristics
  • Offensive operations can be conducted with
    plausible deniability
  • But remember that adversaries make mistakes too,
    and all-source intelligence helps
  • Offensive technology is relatively inexpensive,
    widely available, and easy to obtain.
  • Many nonstate actors (companies, patriotic
    hackers, terrorists) can have influence and may
    be able to cause some of the same kinds of
    effects as state actors.
  • A resource-poor attacker may have significant
    leverage, by
  • using automation to reduce personnel needed and
    increase tempo.
  • stealing computing and financial resources
  • The indirect effects of cyberatacks are almost
    always more consequential than the direct effects
    of the attack ? must judge cyberattacks by total
    effect, and indirect does not mean not
  • Effects can span an enormous range cyberattack
    is a methodology, not a specific weapon per se.
  • A cyberattack is NOT of lesser consequence
    because it targets only a computer.
  • Effects may be significantly delayed in time from
    moment of insertion.

Operational considerations and realities
  • Cyber operations can be selective or
    non-selective in targeting.
  • Selectivity implies long lead time, complex
    intelligence requirements, specialized skills,
    higher cost
  • Cyber operations (especially attacks) can be very
    complex to plan and execute.
  • Large range of options than most traditional
    military operations
  • Analysis of (many) outcome paths may require
    specialized knowledge (Stuxnet).
  • Time and spatial scales can span many orders of
  • A cyberattack may be
  • Usable only once or a few times
  • Limited temporally in effect and/or limited in
    scope (if highly targeted)
  • Technically fast but operationally slow hence
    most suitable in non-time-urgent operational
    scenarios (e.g., early use) speed of light vs
    speed of law/thought/analysis

Operational (continued)
  • Target identification
  • Translating IP address, processor serial number,
    configuration, keyboard language into target
  • Often a manual process
  • Plan operation
  • Gain access in advance (prepare the battlefield),
    determine vulnerability
  • Specify payload (identify effects sought)
  • Limit collateral damage (must know what is
    connected cascading effects hard to predict)
  • Execute operation
  • May take place some time distant from obtaining
    access/vulnerability defenses/configuration may
    have changed
  • Perform assessment (distinguish between real
    success and faked success)
  • If exploitation, misinformation may be returned
  • If attack, target may only appear to shut down
  • Many answers depend on detailed intelligence
    information on targets, and thus success of a
    cyber operation is highly contingent.

Possible connections of offensive cyber
operations for defensive purposes
  • Before adversary attack
  • Early warning of attack means living inside
    adversary network
  • May need to pre-empt offensive cyber action about
    to be undertaken by adversary
  • During adversary attack
  • May need to disrupt a cyberattack in progress by
    disabling attacking computers
  • After adversary attack
  • Need for conducting forensic investigation that
    may require multiple intrusions into proximate
    and intermediate nodes.
  • Retaliation a possibility to discourage further
  • And what of non-defensive purposes?

Illustrative non-defensive applications of
offensive cyber operations
  • Traditional military operations
  • Suppression of adversary air defenses.
  • Disruption of adversary plans for military
  • Disruption of adversary critical infrastructure
    (e.g., power grids)
  • Covert action
  • Influencing the outcome of a foreign election
    using electronic voting machines.
  • Altering electronic medical records of adversary
    military leaders.
  • Disruption of adversary infrastructure for
  • Cyberexploitation
  • Exploration of adversary command and control
    networks to determine command arrangements,
    orders of battle
  • Probes of adversary military networks in
    preparation for later attack.
  • Exfiltration of negotiating positions, political
    plans, commercial information.

U.S. policy today
  • National security
  • Law enforcement
  • Private sector

(parts of) DOD policy
  • DOD seeks superiority in the cyber domain--the
    state in which U.S. and friendly forces have
    complete freedom of action in the domain and
    adversary forces have no freedom of action.
  • Revised in recent testimony by Keith Alexander,
    who questioned US ability for the latter
  • NRC report concludes that enduring unilateral
    dominance in cyberspace is neither realistic nor
    achievable by the United States.
  • DOD implied declaratory policy on cyberattack
  • Cyberattack is just like any other weapon in the
    DOD arsenal except for operational
  • Cyberattack is better suited for early use, when
    there is time to collect intelligence
  • DOD has publicly announced policy re cyberattack
    in the case of active defense
  • USAF seeking capabilities for automated
    cyberattacks conducted for defensive purposes.

Intelligence on cyberexploitation and covert
  • Intelligence collection (including
    cyberexploitation) undertaken to further the
    interests of the United States outside CONUS
    unlimited except if US persons involved. Not a
    violation of international law.
  • Intelligence collection on behalf of specific US
    companies not undertaken as a matter of US
    policy (not true for some other nations, e.g.,
  • Covert action regulated by US statute
    activities of the U.S. government to influence
    political, economic, or military conditions
    abroad, where it is intended that the role of the
    U.S. government will not be apparent or
    acknowledged publicly. Must be authorized by
    findings of the President, and reported to
    appropriate individuals in the U.S. Congress.
    Note alignment of plausible deniability
    requirement and technical characteristics of
  • One reported example- US against USSR in 1982.

One public story regarding alleged US cyberattack
on the Soviet Union
  • Soviet Union actively sought to obtain Western
    technology (including pipeline control software).
    US discovered the list of sought-after
  • In 1982, the U.S. spiked software that was
    subsequently obtained by the Soviet Union. The
    software was programmed to go haywire, and
    after a decent interval, to reset pump speeds and
    valve settings to produce pressures far beyond
    those acceptable to pipeline joints and welds.
  • The result -- a large explosion in a Siberian
    natural gas pipeline (visible from space, looked
    like a 3 kiloton nuclear blast)
  • Beyond the immediate effect, the Soviets came to
    understand over time that they had been
    stealing bogus technology, but now what were they
    to do? By implication, every cell of the Soviet
    leviathan might be infected. They had no way of
    knowing which equipment was sound, which was
    bogus. All was suspect, which was the intended
    endgame for the entire operation.
  • Source Thomas Reed, At the Abyss An Insider's
    History of the Cold War, Ballantine Books, New
    York, NY, 2004

Law enforcement and private sector action
  • Law enforcement
  • Cyberexploitation governed under various statutes
    re wiretapping, access to stored information etc.
  • Cyberattack limited, but not forbidden (e.g.,
    jamming of cell phones to protect President)
  • Law enforcement authorities exempt from Computer
    Fraud and Abuse Act (CFAA).
  • Private sector
  • Governed by CFAA, and prohibits private action
  • Self-defense justification never attempted

On cyberdeterrence
The why and how of deterrence
  • How can we persuade adversaries to refrain from
    launching damaging cyberattacks?
  • Deterrence seems like the obvious inevitable
    choice in an offense-dominant world.
  • Passive defense is inadequate and eventually will
  • Law enforcement actions are too slow and
    uncertain in outcome.
  • Deterrence of nuclear threats in the Cold War
    establishes the paradigm largely successful.
    Based on a credible threat to
  • Deny the attacker the benefits of an attack
  • Punish the attacker by imposing unacceptable

Deterrence (in classical form)
  • Denial (1) is too hard, hence punishment (2) is
    a more appealing strategy.
  • Threat of punishment requires
  • Attribution of attack to adversary
  • what system, which actor?
  • Cyberattack does not require skills that are
    limited to small set of adversaries
  • Knowing that an attack has happened
  • Noisy background
  • Ambiguous effect (exploitation? Delayed effect?)
  • Difficulty of correlating information across
    multiple affected sites
  • Slow forensics
  • Credibility
  • Nations conduct many highly visible military
    training exercises in part to demonstrate
    capabilities to potential adversaries. How
    should nations demonstrate (secret) cyber
  • Bottom line on cyberdeterrence uncertainty
    about how traditional concepts of deterrence
    (i.e., 2) apply to cyberspace. Thus, denial has
    greater appeal (cf., recent Lynn Foreign Affairs

On escalation and termination
  • Deterring escalation is just as important
    (perhaps more so) as deterring onset of conflict.
  • Unintended escalation particularly dangerous when
  • operational actions are less visible to senior
    decision makers
  • outcomes of actions are more uncertain (e.g.,
    cascading effects)
  • How can cyberconflict be terminated?
  • Noisy background of criminal and hacker (and
    perhaps 3rd nation) cyberattacks
  • Requirements for termination how to de-mine?
  • How to suppress patriotic hackers?

International law and offensive cyber operations
Jus ad Bellem (conditions for engaging in
  • UN Charter prohibits threat or use of force
    against the territorial integrity or political
    independence of any state (Art. 2(4))
  • Force not defined. By practice, it
  • includes conventional weapon attacks that damage
    persons or property
  • excludes economic or political acts (e.g.
    sanctions) that damage persons or property
  • UN Charter Art. 51 - Nothing in the present
    Charter shall impair the inherent right of
    individual or collective self-defence if an armed
    attack occurs against a Member of the United
  • Armed attack not defined, even for kinetic

When is a cyberattack a use of force or an
armed attack?
  • Easier
  • Exploitation w/o damage or degradation (no)
    cyberattack that causes physical damage akin to
    kinetic attack (yes) use of cyberattack during
    acknowledged armed conflict (not covered by Art.
    2(4) but subject to LOAC jus in bello).
  • Harder
  • Economic damage without physical damage
  • Temporary, reversible interference with computer
  • Mere data destruction or degradation
  • Introduction of Trojan horse software agents
  • Payload with exploitation and attack
    capabilities? (cf. human spy skilled in
  • Payload to accept a future upgrade with unknown
  • Destructive payload with delayed action
    capability? (cf., pre-planted remotely
    detonatable mine)
  • Empty payload a shell that can be remotely
    upgraded in the future
  • Cyberattack that has effects comparable to a
    kinetic armed attack is also an armed attack, but
    few good analogies to past kinetic precedents.

When is a cyberattack a use of force or an
armed attack?
  • Answers matter to attacked party, because they
    influence when and under what authority law
    enforcement (vis a vis military) takes the lead
    in responding, and what rights the victim might
    have in responding.
  • Answers matter to attacking party, because they
    set a threshold that policy makers may not wish
    to cross in taking assertive/aggressive actions
    to further its interests.

Some hard scenarios under the UN charter
  • Economic damage without physical damage
  • Raiding a national treasury?
  • Political interference without physical damage
  • Hacking electronic voting machines?
  • Temporary, reversible interference with
    military/critical infrastructure systems
  • DOS attack?
  • Mere data destruction or degradation
  • Corruption of database responsible for military
    logistics scheduling?
  • Violations of neutrality in cyberspace?
  • Use of a third nations routers to carry a
  • Ambiguities between legal exploitation and
    illegal attack?
  • Introduction of agent for exploitation with
    remotely upgradeable capabilities?
  • Attacks on dual-use infrastructure?
  • Requirements for separation of military and
    civilian infrastructure?
  • Inherently clandestine and deception-based
    attacks? (perhaps analogous to submarine warfare
    in 1914?)
  • National responsibility for non-state actors?
  • Time delay between insertion and use for attack?

Jus in Bello (behavior during conflict)
  • Principle of Non-Perfidy
  • Cannot pretend to be legally protected entity
  • Principle of Proportionality
  • Collateral damage on civilian targets acceptable
    if not disproportionate to the military
    advantage gained.
  • Principle of Distinction
  • Military operations only against military
    objectives and not against civilian targets

  • Requirement for identification of USG
  • USAF insignia on airplanes and cruise missiles.
  • Military personnel in distinctive uniforms.
  • Trojan horses with distinctive identifiers This
    agent is a bona fide weapon of the US
  • Public infrastructure so that any victim can
    verify the authenticity of such an identifier?
  • Requirement for identifying military and civilian
    targets in cyberspace?
  • Nations have obligations to enable identification
    of military assets (distinctive vehicles with
    insignias) and are entitled to identify entities
    legally immune to attack (Red Cross on
    ambulances, white flags).
  • What must be done to identify military
    computers/networks? IT assets of hospitals and
    religious institutions? Who will verify the
    latter? (International Red Cross?)

Proportionality uncertainty regarding outcome of
a cyberattack
  • Outcomes often more uncertain than for attacking
    physical targets
  • Indirect, cascading effects
  • Collateral damage difficult to calculate
  • No empirical or theoretical basis on which to
    estimate collateral damage (no cyber blast
  • Uncertainty amplified by need to gather
    intelligence promptly in many tactical situations
  • Experience in Balkans suggests long lead times
    for decisions on using cyber operations, due in
    part to JAG review

Distinction Legitimacy of attacks that disable
computer-dependent civilian services
  • Military communications often take place over the
    Internet military forces dependend to some
    extent on commercial power grid. Are the national
    infrastructure for Internet (e.g., routers) and
    power grid valid military targets?
  • To what extent are computer-dependent civilian
    services or communications essential to life in
    a modern society? Does disruption in these
    services rise to the level of causing death and

Arms Control Regimes for Cyberattack?
Why might regimes be desirable?
  • Reduce likelihood of conflict, damage if conflict
  • Allies significantly more dependent on IT, thus
    restrictions on cyberattack asymmetrically
    benefit Allies
  • Delegitimize cyberattack as a military weapon and
    discourage other nations to develop such
    capabilities for use against Allied interests.

Reasons for skepticism?
  • Other nations will develop cyberattack
    capabilities under any circumstances. (Some see
    cyberattack as an ideal instrument of
    asymmetrical warfare.)
  • Verification of limiting capabilities essentially
  • Cant restrict code, expertise/knowledge,
    underlying technology
  • Infrastructure needed to conduct attacks is
    small, easily hidden.

Restrictions on use of cyberattack?
  • Refrain from striking at national financial
    systems or power grids (similar to no kinetic
    attack on hospitals or no blinding lasers)
  • May require cooperative measures (e.g.,
    electronic identification of permitted and/or
    prohibited targets)
  • Attackers can violate such agreements (just as a
    kinetic attacker can target ambulances or fire
    mortars from sanctuaries), and compliance in
    wartime is not assured.
  • However, such agreements
  • Help to create international norms regarding the
    acceptability of such behavior.
  • Inhibit training that calls for violation.
  • May be enforced to some degree through threat of
    reciprocal use.
  • Probably most useful prior to the onset of
    conflict, because a signatory would have
    incentives to comply to avoid unwanted

Many complicating factors
  • Living with any regime we claim to want must be
  • Routine cyberexploitation during crisis might be
    escalatory refraining from cyberexploitation
    during crisis may deprive NCA of valuable
    tactiacl information (e.g., early warning).
  • Difficulty of technical attribution makes proving
    a violation hard.
  • Non-state attackers (patriotic hackers,
  • Widespread diffusion of relevant technology and
  • Private sector ownership/operation of cyberspace?
  • May require high degree of intrusiveness on the
    behavior of individuals and of the private
  • Possible national responsibility for private
    sector actions

Collateral agreements/understandings may be
  • Examples from non-cyber world
  • Advance notification of ballistic missile
  • Measures to prevent dangerous incidents at sea
  • Hotlines to promote communication during crisis
  • Possible collateral agreements for cyber
  • Agreements to cooperate promptly in investigation
    of cyberattacks from home territory
  • Agreements on sufficiency of evidence to presume

Private Sector Equities
Google and China
  • Google raised two issues (Operation Aurora)
  • Attempts to compromise email accounts of Chinese
    human rights activists
  • Penetrations of 34 companies (mostly in Silicon
    Valley) to obtain corporate data and software
    source code.
  • China held responsible by Google for these
  • Targeted attack against specific individuals,
    using previously unknown vulnerability in
    Internet Explorer that allows remote code
  • Google undertook its own forensic investigation,
    gaining access to a computer in Taiwan and
    monitoring its operations to identify penetration
  • Attribution to China made largely on the basis of
    attacks technical sophistication and breadth and
    the targets of the cyber operations.
  • Some reports indicate that malware used in latter
    penetration employed an algorithm contained in a
    technical report published only on
    Chinese-language Web sites.
  • Non-circumstantial evidence is scarcehighlights
    difference between technical attribution and
    political decision to hold a nation accountable
    based on all sources of information.
  • Subsequent Google action to un-censor its China
    search engine
  • Some actions traced to elite Chinese IT schools
  • Many possible/plausible explanations (govt
    sanctioned activity, overly enthusiastic
    students, contest, final exam)

Some questions raised by Google/China engagement
  • Google action to uncensor its search engines -
    retaliation for Chinese actions?
  • How and to what extent, if any, should private
    entities be allowed to shoot back? Does private
    shoot-back increase or decrease likelihood that a
    private entity will be attacked?
  • How and to what extent, if any, should private
    entities be allowed to conduct their own foresnic
    investigations (which may involve some degree of
  • Private actors in U.S. engaging in cross-border
    offensive operations (patriotic hackers, U.S.
    corporations acting in self-defense) have legal
    implications for the U.S.
  • U.S. responsibility potentially implicated if
    private actions rise to use of force
  • Possible interference with US government cyber

More broadly
  • Certain cyberattacks undertaken by the United
    States are likely to have significant operational
    implications for the U.S. private sector.
  • Internet-based attack may require cooperation of
    U.S./Allied ISPs (ISPs usually asked to suppress
    cyberattacks what about shutting down a US
  • Shaping the cyber battlefield may require
    cooperation of U.S./Allied IT vendors and service
  • Adversary response to U.S. cyberattack may affect
    U.S. ISPs and critical infrastructure may be

Some broad observations and issues
Bear in mind
  • Cyber conflict is not separate from other spheres
    of potential conflict.
  • Options for responding to cyberattacks on the
    United States span a broad range and include a
    mix of dynamic changes in defensive postures, law
    enforcement actions, diplomacy, cyberattacks, and
    kinetic attacks.
  • Cyber conflict is not just relevant to US
    government, and issues arise in deterring attacks
    on private sector entities.

Nuclear conflict as analogy for cyber
  • Many superficially obvious connections
  • Relevant concepts early/tactical warning, attack
    assessment, stability, deterrence, offense
    dominance, counterforce, countervalue, escalation
    control, first use, first strike, secure second
    strike, war termination, launch under attack,
    launch on warning, employment options,
    proliferation, fratricide, laws of war, cascading
    effects unpredictable effects command and
  • But deeper analysis suggests badness of fit
  • Private sector doesnt have nuclear weapons.
  • Many of the same questions/issues arise in cyber
    as in nuclear (as well as in many other forms of
  • Answers to these questions are mostly very
  • Some suggest biological weapons are a better
    metaphor from a strategic point of view
    (deterrence, arms control, and so on).

Fostering a national debate on cyberattack
  • The U.S. government and other nations should
    conduct a broad, unclassified national debate and
    discussion about cyberattack policy, ensuring
    that all parties are involved in discussions and
    familiar with the issues.
  • Some aspects of cyberattack SHOULD be classified,
  • U.S. interest in a specific cyberattack
  • Fragile and sensitive operational details that
    are not specific to the technologies themselves
  • Capabilities and intentions of specific
  • But these are not relevant to answering questions
    about declaratory policy, and thus secrecy about
    policy issues serves to inhibit necessary
    discussion about them.
  • Impossible to have a coherent discussion of
    policy while discussing only the defensive side
    discussing defense only leads to a victim

C2 for offensive cyber operations
  • Early use of cyberattack may be easy to
    contemplate in a pre-conflict situation, so a
    greater degree of operational oversight for
    cyberattack and cyberexploitation may be needed
    compared to use of other options.
  • Confusion on adversarys part regarding intent of
    cyber operation an exploitation may be seen as
    an attack.
  • Operational footprint left by cyberattack
    activities is small, and routine activities may
    be less visible to senior decision makers.

Some interesting fundamental questions
  • In light of the poor track record of deploying
    cyber defenses adequate to meet the threat, how
    and to what extent can offensive cyber operations
    enhance cybersecurity?
  • In light of limited law enforcement response
    capabilities, how and to what extent, if any,
    should private entities be allowed to shoot back
    or investigate? Does private shoot-back increase
    or decrease likelihood that a private entity will
    be attacked?
  • What can/should a nation do in cyberspace in
    conditions short of avowed armed conflict or in
    response to actions that fall short of armed
    attack or uses of force?
  • How (if at all) should an attacking nation enable
    adversaries to differentiate between exploitation
    and attack?
  • How, if at all, are existing international legal
    regimes (e.g., the laws of armed conflict, the
    Geneva Conventions) adequate to manage
  • What is the role of international cooperation and
    agreements in managing cyber conflict?

Report explores all these issues in much greater
  • Herb Lin
  • Chief Scientist, Computer Science and
    Telecommunications Board
  • National Research Council
  • 202-334-3191, hlin_at_nas.edu
  • Download reports free
  • Search for
  • Macarthur Foundation, Cyberattack, Policy
  • NRC report, deterring cyberattacks
  • (latter has 50 interesting research questions)
Write a Comment
User Comments (0)
About PowerShow.com